CFPB blasted by Senate Banking Democrats for ‘entirely avoidable’ cybersecurity flaws
Five Democrats on the Senate Banking Committee are demanding answers from the Consumer Financial Protection Bureau after a recent watchdog report revealed increasingly ineffective cybersecurity at the agency linked to staff cuts and reduced contractor support.
In a letter sent Monday to Russell Vought and shared first with FedScoop, Democratic Sens. Elizabeth Warren of Massachusetts, Mark Warner of Virginia, Andy Kim of New Jersey, Ruben Gallego of Arizona and Catherine Cortez Masto of Nevada blasted the acting CFPB director over the findings from an October Federal Reserve Office of Inspector General report. The OIG tied the Trump administration’s ongoing teardown of the agency to its inability to “maintain an effective level of awareness of security vulnerabilities in its environment.”
That outcome, the lawmakers told Vought, is “unacceptable, entirely avoidable, and directly tied to some of your efforts to gut the agency: illegally firing CFPB employees and arbitrarily canceling agency contracts.”
Warren, the ranking member of the Senate Banking Committee and architect of the CFPB in the aftermath of the 2008 financial crisis, and her colleagues made the case in their letter that the Trump administration “has gone out of its way to harm, rather than protect, American consumers served by the CFPB.” They cited actions to stop work orders, close the agency’s headquarters and carry out mass firings of employees.
The decimation of the CFPB’s workforce was paired with the cancellation of agency contracts worth hundreds of millions of dollars, according to court filings. That combination, per the OIG, led to the agency’s overall information security program dropping “from a level-4 maturity (managed and measurable) to a level-2 maturity (defined) in fiscal year 2025” — meaning CFPB’s cybersecurity “is not effective.”
With such a diminished cybersecurity posture, the Senate Banking Democrats said the agency is ill-equipped to “protect the sensitive personal information of American consumers and businesses.”
“The agency maintains systems that house sensitive data, including personally identifiable information from complaints submitted by consumers across the country,” the letter stated. “We write to request information regarding your failure to protect the American public and once again demand that you halt your efforts to shutter the agency.”
The Trump administration said in a court filing earlier this month that the CFPB’s funding is unlawful and is on track to run out early next year. Still, the lawmakers implored Vought — who has overseen the CFPB’s destruction while serving in a full-time capacity as director of the Office of Management and Budget — to “reverse course on your illegal efforts to shutter the CFPB.”
Beyond that demand, the senators asked the CFPB to respond by Dec. 8 to questions about contract cancellations tied to cyber operations, including a list of all terminations and details on how those decisions were communicated. The lawmakers also want Vought to explain how the decision to end cybersecurity contracts impacted the agency’s “ability to implement a robust information security program.”
Since the immediate targeting of the CFPB in the early days of the Trump administration, the beleaguered agency has also withdrawn a rule targeting data brokers, signaled changes to a rule that gave the public more control over their personal financial data, and shifted its remaining cases to the Department of Justice.
The CFPB did not respond to a request for comment on the Democrats’ letter by the time of publication.
